CoreWeave provides encryption at rest for etcd data in CoreWeave Kubernetes Service (CKS) clusters using a KMS-backed setup. For new CKS clusters created after June 24, 2025, this feature is enabled by default and requires no action from you.Documentation Index
Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt
Use this file to discover all available pages before exploring further.
For existing CKS clusters created on or before June 24, 2025, you need to rotate your existing Kubernetes Secrets once. After that, CoreWeave handles the entire lifecycle securely and transparently.
Rotate secrets in existing clusters
If your CKS cluster was created before June 24, 2025, your existing Secrets may not yet be encrypted. To ensure full encryption coverage, you’ll need to replace the existing Secrets once. Any new Secrets you create going forward will be encrypted automatically. To rotate your Secrets in place, run:Comparison to upstream Kubernetes
While Kubernetes offers encryption at rest as an optional config, CoreWeave enables it by default. Your CKS clusters have Secrets encryption at rest, with none of the operational burden.| Concept | Upstream Kubernetes | CoreWeave CKS |
|---|---|---|
| KMS provider | You choose and configure the provider | CoreWeave |
| Who manages your keys | You manage your keys | CoreWeave |
| Plugin config | You write and deploy it manually | CoreWeave provisions and injects it automatically |
| Encryption scope | You choose what to encrypt | CoreWeave encrypts Secrets by default |
| Key rotation, unseal, backup | Manual setup and maintenance | Automated by CoreWeave |